1. Field of the Invention
The present invention relates to an apparatus and method for increasing the security of electronic communications while reducing the logistics involved. More specifically, the preferred embodiments of the present invention relate to a security infrastructure involving electronic cryptographic communications.
2. Description of Related Art
Electronic cryptography involves the use of encryption and decryption keys to render the information transmitted to be undecipherable for unintended recipients. It is hoped only the authorized recipient, being in possession of the required decryption key, will be able to decipher the data that is sent.
However, such a system may be breached if an unauthorized party has knowledge of the cryptographic keys. This can occur through unintentional disclosure or by breaking of the code by a xe2x80x9chackerxe2x80x9d. Conventional systems attempt to decrease the likelihood of a security breach by using longer encryption key codes and better management of the key infrastructure. Nevertheless, even systems using longer encryption key codes are susceptible to breach by a hacker, especially in today""s world of powerful computers. Further, management of the key infrastructure increases logistics and maintenance costs, and may create opportunities for unintended disclosure of cryptographic keys.
To overcome the problems described above, preferred embodiments of the present invention provide apparatuses and methods for the secure transmission of encrypted data where the likelihood of interception of the keys by a hacker as well as the costs of maintaining a robust security system are greatly diminished.
A preferred embodiment of the present invention includes first and second timing elements, and first and second key storage units containing a plurality of keys in a predetermined order for selection of keys depending on respective key times, wherein the key times occur periodically according to the first and second timing elements, respectively. A data encryptor obtains a new key from the first key storage unit at each occurrence of a key time of the first key storage unit. The data encryptor holds the key for a key period and uses the key to encrypt the data inputted during the key period. Also, at least one data decryptor is provided with a data decryptor obtaining a new key from the second key storage unit at each occurrence of a key time of the second key storage unit. The data decryptor uses the key for a key period to decrypt the encrypted data.
Another preferred embodiment of the present invention includes at least two data decryptors. The first data decryptor has a current key period, and the second data decryptor has a key period preceding or succeeding the current key period. The data decryptors each hold a key that corresponds to their respective key periods at substantially the same time such that one of those keys matches the key used to encrypt the received encrypted data.
Another preferred embodiment of the present invention includes at least three data decryptors. The second data decryptor has a current key period, the first data decryptor has a key period preceding the current key period, and the third data decryptor has a key period succeeding the current key period. The data decryptors each hold a key that corresponds to their respective key periods at substantially the same time such that one of those keys matches the key used to encrypt the received encrypted data.
In another preferred embodiment of the present invention, a method for secure cryptographic communications between a sender location and a receiver location is provided which method includes providing first and second timing signals at sender and receiver locations, respectively. Also included is providing a first and second plurality of keys in a predetermined order, and providing a plurality of key times periodically according to said first and second timing signals, respectively. For encryption, the method involves obtaining a new key from said first plurality of keys at each occurrence of the key times, holding the key for a key period, and using the key to encrypt data inputted during said key period. For decryption, the method involves obtaining a new key from the second plurality of keys at each occurrence of the key times, holding the key for a key period, and decrypting the encrypted data with the key.
In preferred embodiments of the present invention, the system stores and/or generates in real-time a multitude of encryption keys in the crypto portion of the hardware supplied to an authorized user community. These keys, symmetric or asymmetric in structure, are preferably not known to any of the users. This solves one of the most pervasive causes of security breachesxe2x80x94the unintentional disclosure of an encryption key. These stored and/or generated encryption keys are preferably time synchronized in the hardware of the authorized user community so that the key used to encrypt data at the sending end is the same key that decrypts the data at the receiving end(s).
The preferred embodiments of the present invention provides several advantages. First, in one preferred embodiment, no key is transferred across the communication media, whether sent by courier, sent electronically in the clear or sent via cryptographic means. Thus, keys cannot be intercepted in such an embodiment. Second, by time synchronizing the authorized user community, the infrastructure is provided to regularly change the keys. System robustness is maintained over a wide range of key periodicity. A practical range for key change is days to nanoseconds. Frequency of key change is influenced by the level of security desired and the accuracy of time synchronization. The more frequent the key change, the higher the security level. Thus, changing keys creates an extremely high entry barrier for the hacker. Thus in preferred embodiments, the keys are changed preferably faster than the state-of-the-art of computing power that a hacker could apply to decipher the keys.
Due to the simplicity of the key infrastructure described, no key manager is required in the user community, which significantly reduces logistics costs and chances for security breaches. Transmission speed is inherently increased since no bandwidth is wasted on key transfer and authentication. Also, the preferred embodiments of the present invention allow for the utilization of different cryptographic algorithms since key management is independent of encryption algorithms.
Other advantages of the preferred embodiments of the present invention include that the encryption keys are unknown to anyone in the authorized user community, hence no unintentional disclosure can occur. At the same time, no xe2x80x9cpublicxe2x80x9d or xe2x80x9cprivate user communityxe2x80x9d database exists for keys or any portions of keys, hence this significantly hinders any access to information relating to the keys or their infrastructure. In one preferred embodiment, no third-party Key Authenticators or Certifiers (CAs Certificate Authorities) are required since the preferred embodiment eliminates substantially the possibility of spoofing an unknown key.
Other important improvements over conventional systems include being able to support numerous cryptographic algorithms, both symmetric and asymmetric. At the same time, architecture using multiple key generation blocks can be used to support PKI like functions. Tiered access and separate levels of security and access within a user community are also possible in one preferred embodiment. Furthermore, the key management scheme of the preferred embodiments is suitable for point to point as well as broadcast communications. And, finally, multiple seed inputs and the resultant remap of information assures against spoofing of the crypto modules of one piece of key data.
Other features, elements, and advantages of the present invention will be described in detail below with reference to preferred embodiments of the present invention and the attached drawings.